Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] x509_v2.create_csr fails with wildcard DNS in SAN #65072

Closed
danielbakken opened this issue Aug 28, 2023 · 1 comment · Fixed by #65076
Closed

[BUG] x509_v2.create_csr fails with wildcard DNS in SAN #65072

danielbakken opened this issue Aug 28, 2023 · 1 comment · Fixed by #65076
Assignees
@whytewolf
Labels
Bug broken, incorrect, or confusing behavior
Milestone
Sulfur v3006.4

Comments

@danielbakken
Copy link

danielbakken commented Aug 28, 2023
edited
Loading

Description

Creating a CSR with a wildcard DNS name in the SAN fails with an error.

Specifying the wildcard only in the Subject CN works. However, browsers like Chrome and Firefox require SANs in server certificates, so this bug prevents Salt from requesting/creating valid wildcard certificates.

Setup

Salt 3006.1 onedir on RHEL9, with x509_v2 enabled in minion config:

features: {"x509_v2": true}

Steps to Reproduce the behavior

Command

salt-call x509.create_csr private_key='/path/to/key.pem' CN='*.test.acme.com' subjectAltName=['DNS:*.test.acme.com']

Error

[ERROR   ] An un-handled exception was caught by Salt's global exception handler:
InvalidCodepoint: Codepoint U+002A at position 1 of '*' not allowed
Traceback (most recent call last):
  File "/usr/bin/salt-call", line 11, in <module>
    sys.exit(salt_call())
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/scripts.py", line 444, in salt_call
    client.run()
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cli/call.py", line 50, in run
    caller.run()
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cli/caller.py", line 95, in run
    ret = self.call()
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cli/caller.py", line 202, in call
    ret["return"] = self.minion.executors[fname](
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 149, in __call__
    return self.loader.run(run_func, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1232, in run
    return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1247, in _run_as
    return _func_or_method(*args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/executors/direct_call.py", line 10, in execute
    return func(*args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 149, in __call__
    return self.loader.run(run_func, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1232, in run
    return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1247, in _run_as
    return _func_or_method(*args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/x509_v2.py", line 1111, in create_csr
    builder, private_key = x509util.build_csr(
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/x509.py", line 387, in build_csr
    ext, critical = _create_extension(
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/x509.py", line 1075, in _create_extension
    return EXTENSION_BUILDERS[name](
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/x509.py", line 1321, in _create_subject_alt_name
    parsed = _parse_general_names(val)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/x509.py", line 1750, in _parse_general_names
    v = idna_encode(v, allow_leading_dot=True)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/x509.py", line 1694, in idna_encode
    ret = idna.encode(val).decode()
  File "/opt/saltstack/salt/lib/python3.10/site-packages/idna/core.py", line 358, in encode
    s = alabel(label)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/idna/core.py", line 270, in alabel
    ulabel(label)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/idna/core.py", line 304, in ulabel
    check_label(label)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/idna/core.py", line 261, in check_label
    raise InvalidCodepoint('Codepoint {0} at position {1} of {2} not allowed'.format(_unot(cp_value), pos+1, repr(label)))
idna.core.InvalidCodepoint: Codepoint U+002A at position 1 of '*' not allowed

Expected behavior

A valid CSR is created. Works only if the '*' wildcard is removed from the subject alternate name.

Versions Report

Salt Version:
Salt: 3006.1

Python Version:
Python: 3.10.11 (main, May 5 2023, 02:31:54) [GCC 11.2.0]

Dependency Versions:
cffi: 1.14.6
cherrypy: 18.6.1
dateutil: 2.8.1
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 3.1.2
libgit2: Not Installed
looseversion: 1.0.2
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.0.2
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 22.0
pycparser: 2.21
pycrypto: Not Installed
pycryptodome: 3.9.8
pygit2: Not Installed
python-gnupg: 0.4.8
PyYAML: 5.4.1
PyZMQ: 23.2.0
relenv: 0.12.3
smmap: Not Installed
timelib: 0.2.4
Tornado: 4.5.3
ZMQ: 4.3.4

System Versions:
dist: rhel 9.2 Plow
locale: utf-8
machine: x86_64
release: 5.14.0-284.18.1.el9_2.x86_64
system: Linux
version: Red Hat Enterprise Linux 9.2 Plow
@danielbakken danielbakken added Bug broken, incorrect, or confusing behavior needs-triage labels Aug 28, 2023
@danielbakken danielbakken changed the title [BUG] x509_v2 create_csr fails with wildcard DNS in SAN [BUG] x509_v2.create_csr fails with wildcard DNS in SAN Aug 28, 2023
@lkubb lkubb mentioned this issue Aug 28, 2023
Merged
3 tasks
@anilsil anilsil added this to the Sulfur v3006.3 milestone Aug 29, 2023
@anilsil anilsil modified the milestones: Sulfur v3006.3, Sulfur v3006.4 Sep 8, 2023
@Ch3LL
Copy link
Contributor

Ch3LL commented Sep 13, 2023

closed by #65076

@Ch3LL Ch3LL closed this as completed Sep 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@whytewolf whytewolf

Labels
Bug broken, incorrect, or confusing behavior
Projects
None yet
Milestone
Sulfur v3006.4
Development

Successfully merging a pull request may close this issue.

[3006.x] Fix creation of wildcard DNS in SAN in x509_v2 lkubb/salt
4 participants
@whytewolf @anilsil @Ch3LL @danielbakken